HIPAA Blog

[ Friday, March 28, 2014 ]

HIPAA Security Risk Analysis: Regular readers will know that I regularly advise HIPAA covered entities to undertake and repeat regular "risk analysis" reviews. It's been required under HIPAA since April 2005, and you simply can't have decent, appropriate policies and procedures without doing a risk analysis first: how do you show that you've taken appropriate security steps if you don't even know where your security risks are?

Additionally, as I've noted before, if you're taking "Meaningful Use" moneys (in connection with adopting EMR technology), then you must certify that you've done such a risk.

There's already been one indictment for a False Claims Act violation against a hospital CFO who certified that the hospital did a security audit and was a "meaningful user," when they weren't. I'm hearing now that CMS is auditing MU stipend recipients and asking for proof of their risk analysis, and the policies and procedures generated by the analysis.

Whether you've done your risk analysis or not (you have to regularly re-do it, too), you should look at this Security Risk Assessment toolbox provided by HHS under HealthIT.gov. There is not a standard template for what a Risk Assessment should look like, since it's entirely dependent on the specific facts of the specific entity.

You have a HIPAA obligation to do it. You may have a MU obligation to do it. And frankly, you have an obligation to your patients/customers to do it. So, . . .